Impersonation Protect - Impersonation Protect Definitions

Updated

This article describes how to configure the Impersonation Protect definition.

We provide a list of Impersonation Protect definitions and policy settings based on commonly used configurations that provide an optimal solution to protect you against targeted spear phishing attacks. 
 

 

To configure an Impersonation Protect definition:

  1. Log in to the Mimecast Administration Console.
  2. Navigate to Policies | Gateway Policies.
  3. Click on the Definitions button.
  4. Select the Impersonation Protection option.
  5. Either click on the:
      • New Definition button to create a definition.
    • or 
      • Definition to be changed.
  1. Complete the Identifier Settings dialog section.
Field / Option Description
Description Describe the definition to help you identify it. This is appended to emails in the archive that have this definition applied.
Similar Internal Domain

If selected, the similarity distance of the sender's domain is checked against your internal domains. For example, if the sender's domain is minecast.com, and you have the mimecast.com internal domain, it's a similarity distance of 1 because one character is different. Mimecast automatically calculates the optimal similarity distance length to use specifically for the internal domains in your account. This allows using various character distances depending on the number of characters in your internal domains.

 

An additional Similar Internal Domain check will be performed to ensure that the domain is on a Mimecast Safe Category List, and if so, we will not match it against the Similar Internal Domain check.

 

For protection against exact spoofing of your internal domain, ensure an Anti-Spoofing Policy is enabled on your account.
Check Monitored External Domains If selected, the sender's domain is checked against your external domains according to the options below, at least one of which must be selected:
  • Check Mimecast Monitored External Domains: Checks the sender's domain against the Mimecast monitored external domains.
  • Check Custom Monitored External Domains: Checks the sender's domain against your custom monitored external domains. To update your custom domains, click the Custom Monitored External Domains button at the top of the Impersonation Protection definition list. See the Targeted Threat Protection: Custom Monitored External Domains page for more information .
Newly Observed Domain
(Does not mean newly registered domains)		 If selected, the sender's domain is checked against a list of domains we maintain to see if there's been an increase in it sending messages in the last week. This includes domains created at any time (e.g., those created but previously dormant). Additionally, we don't see all email traffic, so the list may not contain every potential threat.
Display Name The All Internal User Names and Custom User Names fields are displayed if selected. These allow you to control how a sender's display name is checked for a potential impersonation attack. 
  • All Internal User Names: References all users under Internal Directories.
  • Custom User Names: Any custom name can be entered and does not need to exist in the Internal Directories.

    If a sender's Display Name matches a recipient's Display Name, then Impersonation Protection scans will not apply. This will not trigger an impersonation score.
Internal User Name If selected, the sender's display name (e.g., their first and last name) is checked to see if it matches one of your internal user display names. This ensures any threats that spoof an internal user are detected. We normalize names to account for user display name variations (e.g., "<firstname> <initial> <lastname>," "<lastname> <first name>").

A few exceptions exist that would prevent Impersonation Protection from applying to an Inbound message, which are as follows:

  1. Users seen as "Created by Message in Transit" are not checked. Please see our article here on this address type and the differences between the various address types in Internal Directories.

  2. If a message is sent from an External address with the same display name or username as the Internal recipient (i.e. from "User One" to userone@aninternaldomain.com), it is assumed the recipient will identify they are being impersonated when the sender uses the same username/display name as the recipient address.

  3. Inbound messages from an external address extracted from a Directory Sync as a "Mail Contact" will not be subjected to Display Name checks. This can be seen by the following icon next to an external address from External Directories:
Custom Display Names Use this field to add nicknames for users that may otherwise get missed by the All Internal User Names option. For example, if the recipient's display name is Andrew Smith, enter Andy Smith and Andi Smith. This matches Andrew to Andy and Andi. It also allows scoping of names to check against (e.g., not wanting to match on all internal sender names). If you do not want to check for all names, use this option to check for a subset. When entering nicknames:
  • Only plain text is allowed (i.e., no quotes or regular expressions).
  • Each nickname must be on a separate line.
  • Entries are case-insensitive.
  • A hit on either this field, the All Internal User Names field, or both fields counts as a single hit, thereby removing double counting.
  • Enter a maximum of 5000 Custom Display Name entries.
  • Some steps are undertaken to enable a stronger visual match with an existing user display name. By default, all entries are normalized (e.g., salutations are ignored).
Reply-to Address Mismatch
If selected, a check is made to identify if a mismatch has occurred between the sender’s email address (both Header and Envelope), and the Reply-to email address.

Message can contain links that respond to a different email address than the one who sent the message (e.g., newsletters). If so, you may need to configure a Configuring an Impersonation Protect Bypass Policy.
Targeted Threat Dictionary If selected, the message content is checked against a Targeted Threat Dictionary according to one or both of the options below:
  • Mimecast Threat Dictionary: If selected, the message is checked against a dictionary maintained by Mimecast's dedicated Messaging Security team. They monitor threats and ensure the dictionary is kept up to date. This option helps detect suspicious characteristics in the email header, body, or subject.
  • Custom Threat Dictionary: The message is checked against your threat dictionary if selected. See the Creating a Custom Threat Dictionary section for further details.
  • The Mimecast Threat Dictionary and Custom Threat Dictionary options count as 1 hit in total, i.e., even when both dictionaries are in use.
Number of Hits Specify how many of the above identifiers have to match for an inbound mail to invoke an action. All checks are conducted on the Envelope AND Header From addresses by default.

It's recommended that at least two identifiers are detected before taking any action.
Enable Advanced Similar Domain Checks If selected, checks are made for attacks where the sender's domain is similar to your internal or monitored external domains. For example, using special characters to look like other characters. You must have selected one of the following definition options for this feature to work:
  • Similar Internal Domains.
  • Similar Monitored External Domains.
Ignore Signed Messages If selected, checks aren't performed on digitally signed messages. This ensures the message's signature remains intact.
Bypass Permitted Senders

This option bypasses the sender checks listed/contained in the managed sender/permitted sender policy. For more details, see the Configuring Permitted Senders Policies.

Note:

Auto Allow entries are not considered for this.

 

  1. Specify the Identifier Actions to take when the Number of Hits threshold has been reached
Field / Option Description
Action Specify the required action to be taken if the value specified in the "Number of Hits" option is met:
  • Hold for Review: The message is accepted but placed in the Held queue. It can be viewed by selecting the Message Center | Held Messages menu item in the Mimecast Administration Console.

    If you have a Digest Set configured with the Hold Digest Content Policy option enabled, end users can release their own held items. Releasing a message via the digest won't bypass Impersonation Protection. Should this be required, a separate Impersonation Protection Bypass policy must be implemented for the sender.

  • Bounce: The message is accepted but returned to the sender with a notification. It can be viewed by selecting the Message Center | Bounced Messages menu item in the Mimecast Administration Console.
  • None: The message is accepted, and delivery to the recipient is attempted.
Hold Type Select whether to restrict the view of held messages in Mimecast end-user applications. The default value is User, but you can restrict them only to be viewed by a Moderator or Administrator.

If Moderator is selected, held messages are still listed in the user's Digest Email.
Moderator Group Click on the Lookup button to select a group of users to moderate the specified action.
Tag Message Body If selected, a text box is displayed that allows you to specify a message (up to 500 characters) added to the message's body. The text box displays as plain text by default. If required, HTML can be specified to customize the text's look and feel. The following variables can be used when customizing the text appended to the message body:
Variable Description Example
[sender] Displays the full sender address. Sender Name <sname@<domain>.com>
[senderemail] Displays the sender's email address. sname@<domain>.com
[sendername] Displays the sender's name. Sender Name
[recipient] Displays the full recipient address. Recipient Name <rname@<domain>.com>
[recipientemail] Displays the recipient's email address. rname@<domain>.com
[recipientname] Displays the recipient's name. Recipient Name
[replyto] Displays the reply to the email address. rname@<domain>.com
[messagedate] Displays the message date and time. This is currently only available in the US date format. <Day>, DD MMM YYYY HH:MM:SS
(e.g. Tue, 13 Sep 2019 17:10)
[shortmessagedate] Displays the message date and time.  This is currently only available in the US date format. DD MMM YYYY HH:MM
(e.g., 13 Sep 2019 17:10)
[original-recipient] Displays the full original (unaliased) recipient's address. Original Recipient Name <orname@<domain>.com>
[original-recipientemail] Displays the original (unaliased) recipient's email address. orname@<domain>.com
[original-recipientname] Displays the original (unaliased) recipient's name. Original Recipient Name

If no customized text is specified, the following default text is used:

If we cannot tag a message's body (e.g., due to the message's structure), the subject is tagged instead.
Tag Subject If selected, a text box is displayed that allows you to specify a message (up to 100 characters) added to the message's subject. The text box displays as plain text by default. If required, HTML can be specified instead to customize the text's look and feel. If no text is specified, the following default text is used:
Tag Header If selected, the following message is added to the email's header:
To provide extra flexibility for administrators, if header tagging is enabled, Impersonation Protection stamps all inbound headers regardless of whether the Number of Hits threshold has been reached. However, the 'Suspicious' tagging will be removed if the Number of Hits is unmet.
  1. Complete the General Actions as required
Field / Option Description
Mark All Inbound Items as 'External'
If selected, the following tagging options are available: 
  • Tag Message Body: If selected, a text box is displayed that allows you to specify a message (up to 500 characters) added to the message's body. If no text is specified, the following default text is used:
    This message originated from outside your organization.

  • Tag Subject: If selected, a text box is displayed that allows you to specify a message (up to 100 characters) added to the message's subject. If no text is specified, the following default text is used:

    EXTERNAL.

  • Tag Header: If selected, the following is added to the email's header:

    X-Mimecast-Impersonation-Protect: External=(True/false).
  1. Complete the Notifications section as required
Field / Option Description
Notify Group Use the Lookup button to select a group of users. They will be notified when the definition is triggered and why.
Notify (Internal) Recipient If selected, a notification is sent to the recipient of the message that triggered this definition. This applies to inbound messages only.
Notify Overseers If selected, a notification is sent to the members of the Oversight Group when there is a Content Overseers policy active for the communication pair of the message, and the message triggered this definition.
  1. Click on the Save and Exit button

See Also...

Related to

Was this article helpful?
1 out of 5 found this helpful

Comments

0 comments

Please sign in to leave a comment.